Shmooganography 2014 Steganography Write Up... 


http://www.cardinaleconcepts.com/shmooganogr... 



ARDINALE 

ONCEPTS 


search this site... 


• Home 

• Application Security 

• Malware 

• Reversing 

Home >> Challenges >> Shmooganography 2014 Steganography Write Up 

Shmooganography 2014 
Steganography Write Up 

Posted by Brian Cardinale in Challenges. Misc | 1 comment 


Jan 24, 14 



This past weekend I attended ShmooCon 2014, which is an annual east coast 
hacking conference where like minded, and sometimes unlike minded people 
gather to exchange ideas and have a generally good time. The conference 
provides a forum for various speakers to present their research. Among the 
varying and interesting talks presented there are also many contests around the 
conference. There are a number of Capture the Flag (CTF) contests involving 
wireless, binary reversing, trivia and cryptography as well as steganography, 
which is the practice of hiding a message in plain site. We took a crack at 
the steganography challenge and here is an outline of our experience and 
thought process. 
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Shmooganography was announced at the opening ceremony and we were told 
to investigate a huge Star Gate portal at the other end of the con. There to be 
was found a large Star Gate portal made out of printed cardboard cutouts and 
Christmas lights which were pulsating to the sound of the Star Gate theme 
music playing repeatedly. Also, there was a bar code scanner with the 
instruction to scan your registration bar code to determine which Star Gate 
character out of 5 you were. 

Conferences promote social interaction within and outside the community and 
this first challenge promoted this social interaction. In order to obtain the first 
glyph, five bar codes need to be scanned that would render the five different 
Star Gate characters and render the first glyph, which ended up being Scorpio, 
and the next clue. 

"The dial spins and chevrons are engaged. Getting the order correct 
yields the next generation" 

The next clue lead to investigating the four card board 

Shmooganography posters scattered across the Washington Hilton conference 
area that featured an ancient Star Gate with nine chevrons. 



The poster had nine chevrons either fully colored red or partially colored. The 
nine chevrons then pointed to 8 boxes on the right hand side, one chevron being 
disconnected. The color of the chevrons and the order changed between the 
posters. During this part of the challenge a hint was released on 
the Shmooganography site. 

"Stage 2: What the chevron on each gate points to doesn't matter as 

much as whether it is on. Or off. Or connected at all. " 

On and off was a big hint indicating the chevrons were a binary representation 
with 8 positions, which can yield the numbers 0-255. This information coupled 
with the 4 separate signs indicated that we had 4 sets of 8 binaries which bares 
a striking resemblance to the description of an IP address. The order of the 
numbers played a roll, but the number of positions didn't limit the ability to 
guess. Another clue was released to provide the proper order as no one as 
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making it past these phase in any timely manner. 



None of the IP addresses we derived were responding to network traffic or even 
in this country which made the whole decoding process questionable. There was 
a lot of head scratching at this point. We hit a wall. Then this hint was posted: 

"Stage 2: The chevrons are broken. The creator made a mistake. They 
should decode to 205.134.172.239 (when put in order). Still refer to 
the previous hints to know what to do with this information." 



Please return your chair to the upright and vertical positions. OK, so now there 
is a working IP address, finally. Time to investigate what is listening at the other 
end. Here is where nmap is your friend! 
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A couple web ports are open, all of which redirect to http://www.shmoocon.org/. 
The last hint said to refer to previous hints. 

"Stage 2: Need to echo a change of host... URL - CON -I- COM - ORG" 

This was interpreted as adding an entry into our hosts files for the newly 
acquired IP address. Using the math provided by the hint, "con" and "com" get 
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removed from from "www.shmoocon.org", and "com" gets added yielding 
"www.shmoo.com". The host file was updated to www.shmoo.com 
to 205.134.172.239. Now, the IP address returns the shmoo.com homepage, but 
no further clues to the game, back to the hints. 

"Stage 2: Know your glyphs! Start with Earth in the northeast corner. 

Take it from there. First letter each, upper case. Don't forget Hint #2. 

a 


Earth was one of the glyths in the poster boards that were not connected to a 
position. The other glyths not connected to a position on the board were: Orion, 
Hydra, Equuleus, Capricornus. The capital first letters of which spell out 
ECHO. Time to try: www.shmoo.com/ECHO 



Bingo! 

The clue was vague. Port knocking was a theory. If we connected to two 
separate ports, another may appear. At this time we broke out and went to the 
ShmooCon Reception to go cash in on our free drinks. Thanks ShmooGroup! At 
the reception, we were able to talk to the organizer of the contest and air our, 
er, frustrations over the IP address and learn a little about them. They were 
genuinely cool guys and this information might come in handy later. So, 
remember its important to socialize at cons for all sorts of reasons! 

The next morning we went back down the Star Gate to try to decode the next 
clue. Another hint was released: 

"Stage 3: The black hole casts a hue; but it is sound which activates 
its data transfer. That Gate music has a nice beat to it. " 

There were two boxes in the area that black lights in them, which satisfied the 
"black hole" and "hue" part, but how to activate them with sound was not 
obvious. There was a black device taped inside the box, but no visible serial 
numbers. We attempted to play the Star Gate theme music into the box to see if 
the black light would start flashing morse code, but alas no luck. Referring back 
to the SAGITTARIUS clue concerning two gates being connected we decided to 
start rhythmically tapping both boxes to see what happens. After a few 
moments, there was audio coming out of one of the boxes and squeals coming 
out of me. We activated the portal! 

The sound the played was an audio clip from the show Star Gate which read the 
following: 
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"Humans and material obviously traverse the wormholes, but the 
event horizon conveys much more." 


00:00 


00:00 :1 


Also in the clip was audible noise. A signal! We recorded the message and broke 
off to some place quiet to start decoding the signal. Loading the recorded file in 
Audacity and switching to the spectrogram view yields the following. 



There is clearly data inside this file! The question is how is it encoded? An 
important lesson in these challenges is to try and not over think things, but that 
didn't stop us from diving deep into the rabbit hole looking into signal encoding. 

There are 27 positions of data which is odd for computer signals to not have an 
even number. The frequency of the signals also did not correlate to DTMF tones 
which was an early theory we held. We were stumped. Then another clue was 
released. 

"10: Stage 3: Don't be hexed by pieces of eight. " 

Easy for you to say, game maker! At this point the conference closing ceremony 
was coming upon us as well as the end of the time frame allowed for the 
challenge and we have yet still to determine the data. 

It was actually a good clue we later realized at the closing ceremonies. I believe 
the signal was a representation of octal if I recall correctly. Its a little fuzzy as 
we were drinking our woes away for being beat by an eleven year old! We may 
have worked against ourselves, and pointed him in the direction of the portals 
with the audio signal, cause that's what this experience was all about learning 
something new and helping others learn it to! Congrats, Kid! We'll get you next 
year! 
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